System and method for providing warranties in electronic commerce

ABSTRACT

A system and method are disclosed for providing warranties that financially guarantee one or more facts associated with an electronic transaction. In a preferred embodiment, warranties issued in the present system comprise a contract between a first party and a second party in which the first party: (1) warrants one or more warranted facts (2) for damages up to a warranted amount (3) if claimed by a relying customer within a claim period. The warranty is preferably issued by a participant in response to a request received from a customer that specifies a desired warranted amount and claim period. The participant and root entity evaluate the request in light of a plurality of factors and determine whether or not the warranty should be issued. In a preferred embodiment, the warranty comprises a contract between the buyer and its issuing participant. The seller is preferably a third-party beneficiary of this contract.

[0001] This application is a continuation of U.S. patent application Ser. No. 09/928,998, filed Aug. 14, 2001, entitled System and Method for Providing Warranties in Electronic Commerce, which claimed priority from U.S. provisional patent application serial No. 60/224,994, filed Aug. 14, 2000, entitled Signing Interface Compliance Requirements, Smart Card Compliance Requirements, Warranty Service Functional Requirements, and Additional Disclosure; and U.S. provisional patent application serial No. 60/259,796, filed Jan. 4, 2001, entitled Warranty Manager Application Programming Interface, Warranty Messaging Specification, and Warranty Manager Functional Requirements, all three of which are hereby incorporated by reference.

COPYRIGHT NOTICE

[0002] A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by any of the patent document of the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.

BACKGROUND OF THE INVENTION

[0003] The world of electronic commerce has created new challenges to establishing relationships between contracting parties. One of those challenges springs from the fact that the parties to the transaction cannot see or hear each other, and cannot otherwise easily confirm each other's identity and authority to act.

[0004] One remedy for this problem is to provide each contracting party with a private key for signing transmitted messages. The signing party makes available an associated public key that decrypts messages signed with the party's private key, and thus enables a receiving party to confirm the identity of the sender.

[0005] But the sender's public key may not be known a prior to the recipient. In that event, the sender may transmit with its signed message a digital certificate issued by a certification authority. The certificate is itself a signed electronic document (signed with the private key of the certification authority) certifying that a particular public key is the public key of the sender.

[0006] In some cases, the recipient may be unfamiliar with the public key of the certification authority or may not know whether the certificate is still valid. In that event, the recipient may wish to check the validity of the certificate with an entity that it trusts. In addition, the recipient may wish to obtain a financial guarantee to protect itself against damage that it may suffer from reliance on an invalid certificate.

SUMMARY OF THE INVENTION

[0007] A system and method are disclosed for providing warranties that financially guarantee one or more facts associated with a an electronic transaction. In a preferred embodiment, the warranties are provided within the context of a four-corner trust model. The four-corner model comprises a buyer, also referred to as the subscribing customer, and a seller, also referred to as the relying customer, who engage in an on-line transaction.

[0008] In a preferred embodiment, the buyer is a customer of a first financial institution, referred to as an issuing participant. The issuing participant acts as a certification authority for the buyer and issues the buyer a hardware token including a private key and a digital certificate signed by the issuing participant.

[0009] In a preferred embodiment, the seller is a customer of a second financial institution, referred to as the relying participant. The relying participant acts as a certification authority for the seller and issues the seller a hardware token including a private key and a digital certificate signed by the relying participant. The system also includes a root entity that maintains a root certification authority that issues digital certificates to the issuing and relying participants.

[0010] In a preferred embodiment, a warranty issued in the present system comprises a contract between a first party and a second party in which the first party: (1) warrants one or more warranted facts (2) for damages up to a warranted amount (3) if claimed by a relying customer within a claim period. The warranty is preferably issued by a participant in response to a request received from a customer that specifies a desired warranted amount and claim period. The participant and root entity evaluate the request in light of a plurality of factors and determine whether or not the warranty should be issued. In a preferred embodiment, the warranty comprises a contract between the buyer and its issuing participant. The seller is preferably a third-party beneficiary of this contract.

[0011] In a preferred embodiment, in order to manage the liability risks associated with issuing warranties, the root entity imposes a series of limits, called participant warranty caps, on the warranty volume that each issuing participant may have outstanding. These caps are intended to limit the aggregate level of operating risk exposure for individual participants and to limit the overall risk in the system.

[0012] If a seller suffers damage as a result of its reliance on a warranted fact, the seller may file a claim for compensation against the issuing participant. If the issuing participant determines to pay the claim, it transfers sufficient funds to the relying participant for the benefit of the seller. If the issuing participant determines to dispute the claim, the issuing participant and seller proceed to dispute resolution.

[0013] In a preferred embodiment, the root entity imposes collateral requirements on the issuing participant that may be used to pay claims for damages filed by sellers if the issuing participant is unable or unwilling to satisfy a warranty claim. The collateral is preferably held by a third-party collateral agent that is contractually obligated to pay warranty claims from the issuing participant's collateral account if ordered to do so under system operating rules.

[0014] The features and advantages described in the specification are not all inclusive, and many additional features and advantages will be apparent to one of ordinary skill in the art in view of the drawings, specification, and claims hereof.

BRIEF DESCRIPTION OF THE DRAWINGS

[0015] The above summary of the invention will be better understood when taken in conjunction with the following detailed description and accompanying drawings, in which:

[0016]FIG. 1 is a block diagram of a preferred embodiment of a four-corner model suitable for use in the present system;

[0017]FIG. 2 is a block diagram of a preferred embodiment showing components provided at entities in the four-corner model;

[0018]FIG. 3 illustrates a preferred embodiment of a warranty-issuance process flow;

[0019]FIG. 4 illustrates a preferred embodiment of certain messages used in the preferred embodiment of FIG. 3;

[0020]FIG. 5 illustrates a preferred embodiment of certain messages used in the preferred embodiment of FIG. 3;

[0021]FIG. 6 illustrates a preferred embodiment of certain messages used in the preferred embodiment of FIG. 3;

[0022]FIG. 7 illustrates a preferred embodiment of a warranty-claim process flow;

[0023]FIG. 8 illustrates a preferred embodiment of certain messages used in the preferred embodiment of FIG. 7;

[0024]FIG. 9 illustrates a preferred embodiment of a process for collateral updating and monitoring;

[0025]FIG. 10 illustrates a preferred embodiment for implementing a warranty manager;

[0026]FIG. 11 illustrates an alternative preferred embodiment for implementing a warranty manager;

[0027]FIG. 12 illustrates a preferred embodiment of data elements used to construct warranty messages;

[0028]FIG. 13 illustrates a preferred embodiment of data descriptions and restrictions for the data elements in FIG. 12;

[0029]FIG. 14 illustrates a preferred embodiment of data elements used to construct warranty claims messages; and

[0030]FIG. 15 illustrates a preferred embodiment of data elements, and corresponding descriptions and restrictions, used to construct validation reporting messages.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0031] The present disclosure relates to a system and method for providing warranties that financially guarantee one or more facts associated with an electronic transaction. In a preferred embodiment, warranties are provided within the context of a four-corner trust model. A preferred embodiment of the four-corner model is shown in FIG. 1.

[0032] As shown in FIG. 1, the four-corner model preferably comprises a first institution 102 and a second institution 104. First institution 102 is referred to as the “issuing participant” because it is a participant in the present system and issues to its customers tokens that include a private key and a digital certificate signed by the issuing participant, as described below. Second institution 104 is referred to as the “relying participant” because it is a participant in the present system and its customers rely on representations made by issuing participant 102 and issuing participant 102's customers, as described below. Participants 102, 104 may preferably be banks or other financial institutions.

[0033] Also shown in FIG. 1 are a first customer 106 and a second customer 108. First customer 106 and second customer 108 are preferably customers of issuing participant 102 and relying participant 104, respectively. First customer 106 is referred to as the “subscribing customer” because this customer subscribes to services provided by issuing participant 102. First customer 106 is also referred to as the “buyer” because it typically fills that role in transactions with second customer 108, as described below.

[0034] Second customer 108 is referred to as the “relying customer” because it relies on representations made by both issuing participant 102 and subscribing customer 106. Second customer 108 is also referred to as the “seller” because it typically fills that role in transactions with subscribing customer 106, as described below. It should be recognized, however, that although the description below speaks primarily in terms of a buyer 106 and a seller 108, first customer 106 and second customer 108 may instead have different roles in a given transaction. For example, first customer 106 may be a borrower repaying a loan to second customer 108.

[0035] Also shown in FIG. 1 is a root entity 110. Root entity 110 is preferably an organization that establishes and enforces a common set of operating rules for facilitating electronic commerce and electronic communications. Root entity 110 may be owned jointly by a plurality of banks and/or other financial institutions that have agreed to adhere to these operating rules. One exemplary embodiment of such a root entity is described in copending U.S. application Ser. No. 09/502,450, filed Feb. 11, 2000, entitled System and Method for Providing Certification Related and Other Services and in copending U.S. application Ser. No. 09/657,623, filed Sep. 8, 2000, entitled System and Method for Providing Certificate-Related and Other Services, which are hereby incorporated by reference.

[0036]FIG. 2 illustrates components provided at each entity in a preferred embodiment of the present system. As shown in FIG. 2, participants 102, 104, and root entity 110 are each preferably provided with a transaction coordinator 202 that serves as a gateway for transmitting and receiving all inter-entity messages related to services provided by the present system. Transaction coordinators 202 provide a single interface to issuing participant 102's and relying participant 104's on-line services and implement safeguards necessary to ensure secure electronic communications between transaction coordinators 202 and other entities in the four-corner model, as described in copending U.S. patent application Ser. No. 09/657,605, filed on Sep. 8, 2000, entitled System and Method for Providing Certificate Validation and Other Services, which is hereby incorporated by reference. Each transaction coordinator 202 is preferably provided with an associated hardware security module (HSM) 218 for signing and verifying messages. Participants 102, 104, and root entity 110 are each further preferably provided with an Online Certificate Status Protocol (OCSP) responder 204 and associated HSM 206 for signing and verifying signatures on messages.

[0037] Participants 102, 104, and root entity 110 are each further preferably provided with a warranty manager 230. Warranty manager 230 is adapted to receive and transmit messages relating to warranty services and evaluate warranty requests, as described in more detail below.

[0038] As further shown in FIG. 2, relying customer 108 is preferably provided with a Web server 220 adapted to receive and transmit information via the Internet and a bank interface 222 for accessing system services. An exemplary bank interface is described in copending U.S. application Ser. No. 09/657,604, filed on Sep. 8, 2000, entitled System and Method for Facilitating Access by Sellers to Certificate-Related and Other Services, which is hereby incorporated by reference. Relying customer 108 is preferably further provided with an HSM 250 for signing and verifying signatures on messages.

[0039] As further shown in FIG. 2, subscribing customer 106 is preferably provided with a Web browser 224 adapted to receive and transmit information via the Internet. Subscribing customer 106 is also preferably provided with a smartcard subsystem 226 adapted to sign electronic messages. In a preferred embodiment, smartcard subsystem 226 may include a smartcard reader, a smartcard driver, a smartcard token, and other software, as described in U.S. provisional application serial No. 60/224,994, filed Aug. 14, 2000, Signing Interface Requirements, Smart Card Compliance Requirements, Warranty Service Functional Requirements, and Additional Disclosure and U.S. application Ser. No. ______, filed Aug. 14, 2001, entitled System and Method for Secure Smartcard Issuance, which are hereby incorporated by reference. In a preferred embodiment, the smartcard token is issued to subscribing customer 106 by its issuing participant 102.

[0040] Subscribing customer 106 is also preferably provided with a signing interface 225. Signing interface 225 is adapted to invoke smartcard 226 to execute a digital signature, as described in U.S. provisional application serial No. 60/224,994, filed Aug. 14, 2000, entitled Signing Interface Requirements, Smart Card Compliance Requirements, Warranty Service Functional Requirements, and Additional Disclosure and U.S. application Ser. No. ______, filed Aug. 14, 2001, entitled System and Method for Facilitating Signing by Buyers in Electronic Commerce, which are hereby incorporated by reference.

[0041] In a preferred embodiment, each system entity is further preferably provided with two digital certificates (and corresponding private keys) to facilitate authentication: an identity certificate and a utility certificate.

[0042] The identity private key is used to produce digital signatures that are required by root entity 110 as evidence of an entity's contractual commitment to the contents of an electronic transaction, such as a purchase order.

[0043] The utility private key is used to provide additional transactional security. Typically, utility certificates are used to support secure socket layers (SSL), to sign secure multipurpose Internet mail extension (S/MIME) messages, and for other utility applications. Any reference in this document to the term “certificate” refers to an identity certificate unless otherwise stated.

[0044] In a preferred embodiment, root entity 110, in its capacity as a certification authority, uses a root private key to create the digital certificates of each system participant (e.g., issuing participant 102 and relying participant 104). In addition, it uses the root private key to create digital certificates for each system component maintained by root entity 110 that has digital signing capability, including OCSP responder 204 _(R) and transaction coordinator 202 _(R).

[0045] In addition, each system participant (e.g., issuing participant 102 and relying participant 104), in its capacity as a certification authority, uses the private key associated with its certificate from root entity 110 to create the digital certificates of its customers (e.g., subscribing customer 106 and relying customer 108). In addition, it uses this private key to create digital certificates for each system component that it maintains that has digital signing capability, including its OCSP responder 204 and transaction coordinator 202. In an alternative embodiment, the digital certificates for system components with digital signing capability that are maintained by a participant may be issued by root entity 1 10.

[0046] It should also be recognized that each customer 106, 108, may be a business entity, such as a corporation, that employs many individuals. In such cases, customers 106, 108 preferably authorize some or all of these individual employees to transact and utilize system services on their behalf. Issuing participant 102 preferably issues a separate smartcard token having a distinct private key and associated digital certificate to each authorized employee of subscribing customer 106. Similarly, relying participant 104 (in its capacity as “issuing participant” to relying customer 108) preferably issues a separate smartcard token having a distinct private key and associated digital certificate to each authorized employee of relying customer 108. The digital certificates preferably include the individual employee's name and identify the customer for whom he or she works. In an alternative embodiment, the private key may instead be included in a software token provided to the individual.

[0047] Although the preferred embodiment described above employs transaction coordinators at each participant 102, 104 and at root entity 110, it should be noted that, in an alternative embodiment, the system may be designed without some or all of these transaction coordinators. In this alternative embodiment, messages created, signed, or transmitted by, to, or via a transaction coordinator in the following description, may instead be created, signed, or transmitted by, to, or via a substitute system component adapted to comprise appropriate hardware and/or software to provide the desired functionality.

Warranty Products

[0048] Before describing in detail preferred embodiments for requesting and issuing warranties, an overview of the preferred warranty products provided by the present system is presented. In a preferred embodiment, a warranty issued in the present system comprises a contract between a first party and a second party in which the first party: (1) warrants one or more warranted facts (2) for damages up to a warranted amount (3) if claimed by a relying customer within a claim period.

[0049] In a preferred embodiment, the warranted facts include: (a) that a subscribing customer 106 will not repudiate a digital signature executed with an identity private key issued by its issuing participant 102; and (b) that the subscribing customer 106's certificate was valid at the time the signature was executed.

[0050] In a preferred embodiment, to repudiate a digital signature in this context means to deny that a signature is genuine. A signature is genuine in this context if it is a signature of the subscribing customer on a digital transmission made in a representative capacity by the individual named in the digital certificate associated with the private key used to sign the transmission.

[0051] In an alternative preferred embodiment, to repudiate a digital signature in this context means to deny that a signature is authorized. A signature is authorized in this context if, with respect to a digital transmission, the individual who made the digital signature of the subscribing customer on a digital transmission had actual authority to do so.

[0052] Authorized in this context does not mean that the issuance or signing of the digital transmission or the execution or performance of any underlying transaction was or is rightful or proper.

[0053] The warranted amount establishes the maximum dollar amount of recovery that a relying customer 108 may recover for damage suffered as a result of reliance on the warranty. As noted, this amount is preferably a maximum, i.e., the highest amount that relying customer 108 may recover. If the relying customer's damage is less than this maximum, then the relying customer preferably recovers only its actual damage.

[0054] The claim period is the period during which relying customer 108 must file a claim under the warranty in order to recover for any damage suffered. If no claim is filed within the claim period, the warranty expires, as described in more detail below.

[0055] In a preferred embodiment, warranties expire at 22:00 GMT regardless of the time of day the warranty issued. For example, for a warranty issued with a claim period of 14 days, 14 24-hour periods are counted from the time the warranty is issued, and the warranty expires at 22:00 GMT following that time. Thus, in this preferred embodiment, if, for example, a warranty is issued on the first of the month at 2:00 PM Eastern Daylight Time, the warranty would expire at 22:00 GMT (i.e., 6:00 PM Eastern Daylight Time) on the 15^(th) of the month. By contrast, in this preferred embodiment, if, for example, a warranty is issued on the first of the month at 7:00 PM Eastern Daylight Time, the warranty would expire at 22:00 GMT on the 16^(th) of the month.

[0056] In an alternative embodiment, warranties may expire at 21:00 GMT on the last day of the claim period regardless of the time of day the warranty issued, as described in U.S. provisional patent application serial No. 60/224,994, filed Aug. 14, 2000, entitled Signing Interface Compliance Requirements, Smart Card Compliance Requirements, Warranty Service Functional Requirements, and Additional Disclosure, which is hereby incorporated by reference.

[0057] In a preferred embodiment, warranties are issued by a participant in response to a request received from a customer. The request preferably specifies the desired warranty amount and claim period. The participant and root entity 110 evaluate the request in light of a plurality of factors, described in more detail below, and determine whether or not the warranty should be issued. In a preferred embodiment, the warranty is requested by a subscribing customer 106 from its issuing participant 102. In a preferred embodiment, the first party to the warranty contract is issuing participant 102 and the second party to the warranty contract is subscribing customer 106. Relying customer 108 is preferably a third-party beneficiary of the warranty contract with recourse against' issuing participant 102 for monetary compensation up to the warranted amount.

[0058] In a preferred embodiment, the operating rules establish a $500 minimum value for a warranty. In addition, issuing participant 102 may establish its own minimum value for warranties that it issues which may not be lower than that established by root entity 110. The system operating rules also preferably establish a $100,000 maximum value for a warranty. In addition, issuing participant 102 may establish its own maximum value for warranties that it issues which may not be higher than that established by root entity 110. In a preferred embodiment, the operating rules require that the claim period of a warranty be one of: 7, 14, 30, 60, 90, or 180 days.

Warranty Caps

[0059] In a preferred embodiment, in order to manage the liability risks associated with issuing warranties, root entity 110 imposes a series of limits, called participant warranty caps, on the warranty volume that each issuing participant may have outstanding. These caps are intended to limit the aggregate level of operating risk exposure for individual participants and to limit the overall risk in the system.

[0060] As used herein, the term “warranty volume” refers to the aggregate dollar amount of outstanding (i.e., unexpired) warranties issued by or for a system entity. Thus, for example, if an issuing participant has issued 500 warranties with warranted amounts of $500 each and 200 warranties with warranted amounts of $10,000 each, then the participant's warranty volume is $2.25 M. In addition, as used herein, the term “warranty cap utilization,” when expressed as an amount of currency, refers to the warranty volume of an issuing participant 102. When expressed as a percentage value, the term “warranty cap utilization” refers to the participant's warranty volume divided by its warranty cap.

[0061] As described below, in a preferred embodiment, a participant's warranty volume is compared to its participant warranty cap before a warranty is issued and the warranty is not issued if the warranted amount would push the issuing participant over its cap.

[0062] A preferred embodiment for calculating a participant warranty cap for each issuing participant 102 is described below. Any reference in this document to a “warranty cap” refers to a participant warranty cap, unless otherwise specified.

[0063] In a preferred embodiment, each issuing participant 102 may also establish a customer warranty cap for each of its subscribing customers 106. A customer warranty cap limits the total warranty volume issued for a subscribing customer 106 that may be outstanding at any time, as described in more detail below.

[0064] In a preferred embodiment, each issuing participant 102 may also establish an individual warranty cap for each employee of subscribing customer 106 that is authorized to act on the customer's behalf. An individual warranty cap limits the total warranty volume issued for an authorized individual that may be outstanding at any time, as described in more detail below.

[0065] In a preferred embodiment, root entity 110 may also establish a country-specific warranty cap. This warranty cap limits the warranty volume that all participants in a given country may have outstanding at any time.

[0066] In a preferred embodiment, subscribing customer 106 may also establish warranty caps for itself and its employees that limit the warranty volume that it or its employees may have outstanding at any time. Subscribing customer 106 conveys these warranty caps to its issuing participant which enforces them in its warranty-issuance process, as described in more detail below.

Collateral

[0067] In a preferred embodiment, root entity 110 imposes collateral requirements on issuing participant 102 that may be used to pay claims for damages filed by relying customers if the issuing participant is unable or unwilling to satisfy a warranty claim. The collateral is preferably held by a third-party collateral agent that is contractually obligated to pay warranty claims from a participant's collateral account if, pursuant to dispute resolution procedures described in more detail below, the participant is ordered to pay a warranty claim but is unable or unwilling to do so. A preferred embodiment for calculating collateral requirements for each issuing participant 102 is described in more detail below.

Warranty-Issuance Process Flow

[0068] A preferred embodiment of a warranty-issuance process flow is now described in connection with FIG. 3 and FIGS. 4-6. As will be recognized from the description below, FIGS. 4-6 respectively cover distinct contingencies that may occur during operation of this preferred embodiment. In particular, FIG. 4 is directed to the case where a warranty is issued; FIG. 5 is directed to the case where a warranty is rejected by issuing participant 102; and FIG. 6 is directed to the case where a warranty is rejected by root entity 110.

[0069] Before commencing the description of this preferred embodiment, a brief overview of the messages shown in FIGS. 4-6 is presented. Preferred specifications for each of these messages are described in more detail below. As shown in FIGS. 4-6, the system utilizes the following messages in the warranty-issuance process:

[0070] (1) Wrequest: used by a customer to request a warranty;

[0071] (2) Wproposed: used by issuing participant 102 to propose a warranty to root entity 110;

[0072] (3) Wconfirmation: used by root entity 110 to indicate approval of the terms of a proposed warranty,

[0073] (4) Wauthorizedandissued: used by issuing participant 102 to indicate approval of a requested warranty and to confirm warranty issuance; and

[0074] (5) WReject: used by issuing participant 102 and root entity 110 to indicate rejection of a warranty request.

[0075] Turning to FIG. 3, in step 301, subscribing customer 106 visits relying customer 108's Web site. The parties preferably authenticate themselves to each other over an SSL session with their utility keys.

[0076] In step 302, Web server 220 communicates data to be digitally signed to browser 224 (e.g., a purchase order for an agreed-to transaction). In step 303, the data to be signed is 35 forwarded to smartcard subsystem 226 which signs the data. In step 304, the executed digital signature is returned to browser 224. In a preferred embodiment, this signing process may be facilitated by using a signing interface 225 to invoke smartcard subsystem 226, as described in U.S. provisional application serial No. 60/224,994, filed Aug. 14, 2000, entitled Signing Interface Requirements, Smart Card Compliance Requirements, Warranty Service Functional Requirements, and Additional Disclosure, which is hereby incorporated by reference.

[0077] In step 305, software on the subscribing customer's computer creates a request for warranty and transmits the request to transaction coordinator 2021p of issuing participant 102 (message 1 in FIGS. 4-6). In a preferred embodiment, this software may be implemented as a component of the signing interface. In an alternative embodiment, this software may be implemented as a component of smartcard subsystem 226. In yet another alternative embodiment, this software may be implemented as a plug-in to browser 224 or as a component of another suitable software program resident on the subscribing customer's computer. The warranty request is preferably digitally signed by subscribing customer 106.

[0078] Upon receipt of the request for warranty, in step 306, transaction coordinator 202 _(IP) checks that the subscribing customer's digital certificate is valid. In a preferred embodiment, this step may be performed by validating the digital certificate with OCSP responder 204 _(IP). If the digital certificate is not valid, processing proceeds to step 312, described below.

[0079] If the subscribing customer certificate is valid, then, in step 307, transaction coordinator 202 _(IP) forwards the request to its warranty manager 230 _(IP) for a determination as to whether issuing participant 102 may and/or should assume the liability associated with the warranty requested by subscribing customer 106 (message 2 in FIGS. 4-6).

[0080] Warranty manager 230 _(IP) receives the warranty request message from transaction coordinator 202 _(IP) and evaluates the warranty request both with respect to its internal risk management policies and with respect to the total value of warranties it has already extended. In particular, in step 308, warranty manager 230 _(IP) checks that the warranty request is for a permitted amount (i.e., not greater than any maximum specified by issuing participant 102 or root entity 110 and not less than any minimum specified by issuing participant 102 or root entity 110). If the request is not for a permitted amount, processing proceeds to step 312, described below. In step 309, warranty manager 230 _(IP) checks that the warranty request is for a permitted claim period (i.e., is for one of 7, 14, 30, 60, 90, or 180 days, in the preferred embodiment described above). If the request is not for a permitted claim period, processing proceeds to step 312, described below.

[0081] In step 310, warranty manager 230 _(IP) checks that the requested warranty amount will not cause any established warranty cap to be exceeded. Thus, warranty manager 230 _(IP) retrieves from memory the warranty cap utilization of issuing participant 102 and checks that the requested warranty amount will not cause its own participant warranty cap to be exceeded, as well as any other warranty caps (e.g., customer or individual warranty caps) established by itself or by subscribing customer 106. If the requested warranty would cause any established cap to be exceeded, then processing proceeds to step 312, described below.

[0082] In step 311, warranty manager 230 _(IP) performs any other checks or risk management analysis put in place by issuing participant 102. For example, issuing participant 102 may implement fraud software that detects unlikely usage patterns for a digital certificate and denies a warranty when such a usage pattern is detected. If any such additional check fails or if any such analysis indicates that no warranty should be issued, processing proceeds to step 312, described below.

[0083] If one or more of the above checks fail or if any other risk management process indicates that a warranty should not be issued, then, in step 312, warranty manager 230 _(IP) denies the requested warranty by transmitting a rejection message to transaction coordinator 202 _(IP) (message 3.2 in FIG. 5). In step 313, transaction coordinator 202 _(IP) digitally signs the rejection message and forwards it to subscribing customer 106 (message 10.2 in FIG. 5).

[0084] Otherwise, in step 314, warranty manager 230 _(IP) logs the terms of the requested warranty and transmits a proposed warranty to transaction coordinator 202 _(IP) (message 3.1 in FIGS. 4, 6). In step 315, transaction coordinator 202 _(IP) digitally signs the proposed warranty and forwards it to transaction coordinator 202 _(R) (message 4 in FIGS. 4, 6). In step 316, transaction coordinator 202 _(R) forwards the proposed warranty message to warranty manager 230 _(R) (message 5 in FIGS. 4, 6).

[0085] In step 317, warranty manager 230 _(R) checks that the warranty request is for a permitted amount (i.e., not greater than any maximum specified by root entity 110 and not less than any minimum specified by root entity 110). If the request is not for a permitted amount, processing proceeds to step 320, described below. In step 318, warranty manager 230 _(R) checks that the warranty request is for a permitted claim period (i.e., is for one of 7, 14, 30, 60, 90, or 180 days, in the preferred embodiment described above). If the request is not for a permitted claim period, processing proceeds to step 320, described below.

[0086] In step 319, warranty manager 230 _(R) retrieves from memory the warranty cap utilization of issuing participant 102 and checks that the requested warranty amount will not cause issuing participant 102's participant warranty cap to be exceeded, as well as any other warranty caps that it has established (e.g., country warranty caps). If the requested warranty would cause any established cap to be exceeded, then processing proceeds to step 320, described below.

[0087] If one or more-of the above checks fail, then, in step 320, warranty manager 230 _(R) denies the requested warranty by transmitting a rejection message to transaction coordinator 202 _(R) (message 6.2 in FIG. 6). In step 321, transaction coordinator 202 _(R) digitally signs the rejection message and forwards it to transaction coordinator 202 _(IP) (message 7.2 in FIG. 6). In step 322, transaction coordinator 202 _(IP) forwards the rejection message to warranty manager 230 _(IP) (message,8.2 in FIG. 6). In step 323, transaction coordinator 202 _(IP) formulates a rejection message and transmits it to subscribing customer 106 (message 10.2 in FIG. 6).

[0088] Otherwise, in step 324, warranty manager 230 _(R) logs the terms of the proposed warranty and generates a unique warranty identification (ID) number for the warranty. In addition, warranty manager 230 _(R) updates the issuing participant's warranty cap utilization to reflect the warranted amount. In step 325, warranty manager 230 _(R) generates a warranty confirmation that includes the warranty identification number and transmits it to transaction coordinator 202 _(R) (message 6.1 in FIG. 4). In step 326, transaction coordinator 202 _(R) digitally signs the warranty confirmation and forwards it to transaction coordinator 202 _(IP) (message 7.1 in FIG. 4). In step 327, transaction coordinator 202 _(IP) forwards the warranty confirmation to warranty manager 230 _(IP) (message 8.1 in FIG. 4). In step 328, warranty manager 230 _(IP) logs the confirmation message and updates its warranty cap utilization to reflect the warranted amount. In step 329, warranty manager 230 _(IP) generates a warranty authorized and issued message comprising the terms of the warranty (message 9.1 in FIG. 4) and sends it to transaction coordinator 202 _(IP). In step 330, transaction coordinator 202 _(IP) digitally signs the warranty authorized and issued message and forwards it to subscribing customer 106 (message 10.1 in FIG. 4). In step 331, subscribing customer 106 appends the signed warranty authorized and issued message to its digital signature and returns the signed transaction data to relying customer 108.

[0089] In step 332, relying customer 108 prepares an OCSP request to validate the certificate of the system component that signed the warranty authorized and issued message (transaction coordinator 202 _(IP) in this preferred embodiment). In step 333, relying customer 108 transmits the request to relying participant 104 for validation. The validation process may proceed in a manner analogous to that described in co-pending U.S. application Ser. No. 09/657,605, filed Sep. 8, 2000, entitled System and Method for Providing Certificate Validation and Other Services, which is hereby incorporated by reference. In particular the OCSP request may be transmitted to OCSP responder 204 _(IP) via transaction coordinator 202 _(IP). OCSP responder 204 _(IP) prepares and signs an OCSP response which is then returned to the relying participant via transaction coordinator 202 _(IP) In a preferred embodiment, this validation request may be bundled with a validation request for subscribing customer 106's certificate and the two requests may be jointly processed.

[0090] In step 334, relying customer 108 receives the validation response from relying participant 104. If the validation is positive, relying customer 108 may be confident that the warranty is valid.

[0091] In a preferred embodiment, root entity 110 may establish as an operating rule that a warranty issued in accordance with the above-described preferred embodiment is effective as soon as it is issued and that no validation is required to render the warranty enforceable. The operating rule may also preferably specify that if, at the time the warranty was signed, an OCSP request for the certificate of the system component that signed the certificate (transaction coordinator 202 _(IP) in this preferred embodiment, hereafter the “warranty issuer” or “issuer”) would have resulted in a negative response, then the warranty is not enforceable.

[0092] As will be recognized, in this preferred embodiment, the enforceability of the warranty does not turn on whether or not relying customer 108 actually requests validation of the issuer's certificate. Nevertheless, relying customer 108 may likely wish to validate the issuer's certificate before relying on the warranty because without such validation, relying customer 108 cannot be certain that the warranty will be enforceable.

[0093] In addition to benefitting the relying customer, this validation may also facilitate business purposes important to system participants, including relying participant 104. In particular, since, as noted, relying customer 108 is typically a customer of relying participant 104, it may be desirable to provide relying customer 108 a strong motivation to continue to use services provided by relying participant 104, even in cases where a warranty issued by issuing participant 102 (of whom relying customer 108 is not necessarily a customer) is automatically enforceable without any action by relying participant 108. This preferred embodiment facilitates these business purposes because, although the issued warranty (if valid when signed) is enforceable without any action by relying customer 108, relying customer 108 will nevertheless likely choose to utilize its relying participant's validation service to validate the warranty issuer's certificate to ensure that the warranty is enforceable.

[0094] In an alternative preferred embodiment that also facilitates these business purposes, root entity 110 may establish an operating rule that a warranty issued in accordance with the above-described preferred embodiment does not go into effect until received by relying customer 108. Proof of time of receipt may be established, for example, by timestamping the received warranty with a third-party timestamping service or by validating the warranty issuer's certificate and preserving the timestamped OCSP response. The operating rule may also specify that, if between the time that the warranty was issued by issuing participant 102 and the time that the warranty was received by relying participant 108, the warranty issuer's certificate becomes invalid, then the warranty is unenforceable.

[0095] In this preferred embodiment as well, when a relying participant 108 receives a warranty from a subscribing customer 106, it cannot be certain that the warranty will be enforceable against issuing participant 102 unless it confirms after receiving the warranty that the warranty issuer's certificate remains valid. Accordingly, relying participant 108 will likely wish to validate the warranty issuer's certificate using its relying participant's validation service.

[0096] As will be recognized, in this preferred embodiment as well, the validity of the issued warranty does not turn on whether or not relying customer requests validation of the warranty issuer's certificate. In particular, if the certificate is valid, the warranty will be enforceable even if the relying customer does not confirm its valid status. Similarly, if the warranty issuer's certificate is invalid, the warranty will not be enforceable even if the relying customer does confirm its invalid status. Thus, in the former case, the warranty is enforceable when received (although the relying customer may not know this for certain without validation) and does not require any action by the relying customer to render it enforceable.

[0097] It should be recognized that although in the preferred embodiments described above, the warranty issuer is transaction coordinator 202p, the warranty issuer may alternatively be some other component with signing capability maintained by issuing participant 102. For example, if warranty manager 230 _(IP) is provided with digital signing capability (e.g., an HSM), then warranty manager 230 _(IP) may itself sign all warranty messages created by issuing participant 102. Alternatively, another system component with signing capability may be designated to sign all warranty messages created by issuing participant 102.

[0098] In addition, as noted above, although the preferred embodiments described above employs transaction coordinators at each participant 102, 104 and at root entity 110, it should be noted that, in an alternative embodiment, the system may be designed without some or all of these transaction coordinators. In this alternative embodiment, messages created, signed, or transmitted by, to, or via a transaction coordinator in the following description, may instead be created, signed, or transmitted by, to, or via a substitute system component adapted to comprise appropriate hardware and/or software to provide the desired functionality. Thus, for example, the system may be designed so that OCSP requests from a relying customer 108 are transmitted directly to OCSP responder 204 _(IP) by the customer's relying participant 104 and warranty messages to or from an issuing participant 102 are transmitted directly to or from that participant's warranty manager 230 _(IP).

Warranty Claim Procedure

[0099] In a preferred embodiment, relying customer 108, as a third-party beneficiary, may bring a claim against an issuing participant 102 if a warranted fact in a warranty issued by the participant is incorrect, and the relying customer suffers damage as a result of its reliance on the warranted fact. A preferred embodiment of a process for filing and resolving warranty claims is now described in connection with FIG. 7 and FIG. 8.

[0100] Before commencing description of this preferred embodiment, a brief overview of the messages shown in FIG. 8 is presented. Preferred specifications for each of these messages are described in more detail below. As shown in FIG. 8, the system utilizes the following messages in the warranty-claim process:

[0101] (1) WCRequest: used by a relying customer 108 to file a claim against a warranty;

[0102] (2) WCNotification: used by a relying participant 104 to notify an issuing participant 102 and root entity 110 of a filed claim;

[0103] (3) WCResponse: used by an issuing participant 102 to acknowledge receipt of a filed claim;

[0104] (4) WCAck: used by root entity 110 to acknowledge receipt and processing of a filed claim.

[0105] As shown in FIG. 7, in step 701, relying customer 108 files a warranty claim with relying participant 104 by transmitting a WCRequest message to transaction coordinator 202 _(RP) of relying participant 104 (message 1 in FIG. 8). Relying customer 108's claim must preferably include the terms of the warranty (as specified in the warranty-authorized-and-issued message), the date of the claim, and the warranty claim amount.

[0106] In step 702, relying customer 108 provides relying participant 104 with an affidavit certified by a duly authorized person on behalf of relying customer 108 that includes complete and detailed supporting documentation certifying the amount of damages claimed by relying customer 108. Relying customer 108 also provides relying participant 104, to the extent available, written documentation from subscribing customer 106 identifying the particular warranted fact that is alleged to be incorrect. For example, the written documentation from subscribing customer 106 may include a statement denying that it authorized a particular digital signature or acknowledging that its certificate was not valid at the time of the transaction. In a preferred embodiment, the documentation submitted in this step must be submitted within 14 days of the warranty-claim filing.

[0107] In an alternative embodiment, relying customer 108 may submit its claim and supporting documentation directly to issuing participant 102. In this embodiment, the warranty-authorized-and-issued message preferably comprises information to aid relying customer 108 in filing its claim. This information may include a uniform resource locator (URL) that identifies a Web page that contains further claim-processing information and a mailing address for submitting supporting documentation. If relying customer 108 files its claim directly with issuing participant 102, then it preferably provides relying participant 104 with copies of the documentation it files.

[0108] In step 703, relying participant 104 notifies issuing participant 102 and root entity 1 10 of the filed claim by transmitting a WCNotification message to transaction coordinator 202 _(IP) of issuing participant 102 and transaction coordinator 202 _(R) of root entity 110 (messages 2, 3 in FIG. 8). Transaction coordinators 202 _(IP), 202 _(R) forward the notifications to their respective warranty managers 230 _(IP), 230 _(R) (messages 2.1, 3.1 in FIG. 8). In a preferred embodiment, these notifications must be made within twenty-four hours of the time relying participant 104 receives information regarding the filed claim. The notification preferably includes the warranty ID for the warranty that is the subject of the warranty and the warranty claim amount.

[0109] In step 704, warranty manager 230 _(IP) of issuing participant 102 acknowledges receipt of the warranty claim by transmitting a WCResponse message to relying participant 104 via transaction coordinator 202 _(IP) (messages 2.2, 2.3 in FIG. 8). In step 705, transaction coordinator 202 _(R) of relying participant 104 forwards the message to relying customer 108 (message 4 in FIG. 8).

[0110] In step 706, warranty manager 230 _(R) of root entity 110 checks the warranty-claim amount to confirm that it is not greater than the warranted amount and that the date of the claim precedes the warranty expiration date. If both of these conditions are satisfied, then warranty manager 230 _(R) marks the warranty as “claimed” (step 707). Otherwise, the warranty claim is rejected (step 708). In step 709, warranty manager 230 _(R) releases the amount of the claim from issuing participant 102's warranty cap utilization. In a preferred embodiment, this release is performed 48 hours after a warranty is designated as “claimed.”

[0111] In a preferred embodiment, if a claim is filed for less than the full amount of the warranty, then the unclaimed amount is treated as still utilized under an issuing participant's warranty cap. For example, if issuing participant 102 issues a warranty for $500,000 and a claim is filed for $200,000, then $200,000 is released from issuing participant 102's warranty cap utilization, thus becoming available for writing additional warranties. The remaining $300,000 continues be considered as utilized warranty cap, and is not released until the warranty expiration date. If during the warranty claim period, claims for additional losses are made against the remaining amount of the warranty, then the amount of those additional claims may at that time be released from issuing participant 102's warranty cap utilization.

[0112] In step 710, root entity places a hold on issuing participant 102's collateral account for the claimed amount to cover the claim in the event issuing participant 102 defaults. In step 711, warranty manager 230 _(R) of root entity 110 acknowledges receipt and processing of the warranty claim by transmitting a WCAck message to relying participant 104 via transaction coordinator 202 _(R) (messages 3.2, 3.3 in FIG. 8).

[0113] In step 712, issuing participant 102 examines the claim and any supporting documentation and determines whether it will pay the claim. If issuing participant 102 determines to pay the claim, then, in step 713, issuing participant 102 transfers sufficient funds to cover the amount of the claim to relying participant 104 for the benefit of relying customer 108. Relying participant 104 preferably notifies root entity 110 via a daily reporting procedure established by root entity 110 once relying participant 104 has received these funds. Once root entity 110 receives this notification, warranty manager 230 _(R) releases the hold on issuing participant 102's collateral account for the amount of claim paid.

[0114] If issuing participant 102 determines not to pay the claim, then, in step 714, issuing participant 102 and relying customer 108 proceed to dispute resolution to resolve the claim. An exemplary set of dispute resolution procedures is set forth in U.S. provisional application serial No. 60/153,443, filed Sep. 10, 1999, entitled System and Process for Certification in Electronic Commerce, converted into co-pending U.S. patent application Ser. No. 09/657,623, filed Sep. 8, 2000, entitled System and Method for Providing Certificate-Related and Other Services, both of which are hereby incorporated by reference. Root entity 110 preferably does not release collateral held to secure a disputed warranty claim until the dispute is successfully resolved.

[0115] The claims procedure described above is further described in U.S. provisional application serial No. 60/153,443, filed Sep. 10, 1999, entitled System and Process for Certification in Electronic Commerce, converted into co-pending U.S. patent application Ser. No. 09/657,623, filed Sep. 8, 2000, entitled System and Method for Providing Certificate-Related and Other Services, both of which are hereby incorporated by reference.

Warranty Cap Calculation and Daily Processing

[0116] As noted, in a preferred embodiment, root entity 110 imposes a warranty cap on each issuing participant 102 that limits the warranty volume the participant may have outstanding at any point in time. These caps are intended to control the aggregate level of operating risk exposure for individual participants and to control the overall risk in the system.

[0117] In a preferred embodiment, warranty manager 230 _(R) of root entity 110 is tasked with establishing each issuing participant's warranty cap and adjusting the cap as appropriate. Warranty manager 230 _(R) preferably takes into account a plurality of factors in calculating a participant warranty cap, including the participant's total capital, operating loss factor, and credit rating. The credit rating is preferably quantified as a credit discount factor so that it may be incorporated in the warranty-cap calculation, as described below. In addition, as noted below, a participant may raise its warranty cap by submitting credit-based collateral to a collateral agent to cover potential warranty claims.

[0118] One preferred embodiment for calculating a participant warranty cap is:

Participant Warranty Cap=(Total Capital * (1/Operating Loss Factor) * Credit Discount Factor)+(Credit-Based Collateral)

[0119] In a preferred embodiment, total capital represents the capital level of the legal entity under which a participant's certification authority operates (i.e., the entity that signs customer certificates). For example, if a participant operates its certification authority under an operating subsidiary, then the capital level of the subsidiary is used to determine the participant warranty cap. But if the issuing participant operates its certification authority as part of its main financial services entity, then the total capital of that entity is used to determine the participant warranty cap.

[0120] The operating loss factor preferably represents the historical operating loss of the issuing participant for operations within the present system. As will be recognized, when a participant first commences operation in the present system, it cannot immediately be assigned an actual operating loss factor, since there is no historical data from which to calculate it. Accordingly, in a preferred embodiment, all participants are initially assigned an estimated operating loss factor of 0.6% derived in the chart below. Op Loss Factor as Measure % of Assets Source Bank Operating Loss 16-25 bps First Manhattan estimates based on historical operat- ing experience in process- ing business (1993-94) Mutual Fund Operating 40-50 bps First Manhattan estimates; Losses Mutual Fund industry reports on reporting and processing anomalies (1993-94) Average 30 bps Conservative Add-on 2x Estimates Initial Operating Loss 60 bps Factor

[0121] Over time, the operating loss factor is preferably adjusted as actual operating loss data becomes available. In a preferred embodiment, a participant's operating loss factor is adjusted annually to reflect the participant's actual operating loss for the most recent year.

[0122] As noted, each participant's credit rating is preferably translated into a credit discount factor. An exemplary set of credit ratings and associated discount factors are set forth below: Rating Discount Factor AAA (−⋄+) 1.0 AA (−⋄+) 1.0 A (−⋄+) 0.9 BBB+ 0.8 <BBB+ not eligible without explicit collateralization of operations (credit-based collateral)

[0123] An exemplary calculation of a participant warranty cap is illustrated below. Component (Millions) Capital $2,000 Operating Loss Rate     0.60% Credit Rating (Discount Factor) AA (1.0) Total Warranty Cap $333,333 

[0124] In a preferred embodiment, root entity 110 may initially establish a participant warranty cap of $50,000,000 for each participant when the system is first established. The above warranty-cap formula may then preferably be phased in as system entities gain operational experience.

[0125] Once a warranty cap is set for a particular participant, the participant's warranty volume may not exceed the cap. As noted, warranty manager 230 _(R) preferably tracks each issuing participant's warranty cap utilization and checks each time a warranty is proposed to ensure that the participant's cap will not be exceeded. In addition, warranty manager 230 _(R) may check an issuing participant's warranty cap utilization against its participant warranty cap at predetermined intervals, such as daily. If a participant exceeds its warranty cap, then root entity 110 may take reasonable steps to address the situation, including but not limited to, fining the participant or suspending its certificate.

[0126] In a preferred embodiment, warranty manager 230 _(R) is adapted to report to participants their warranty cap utilization and outstanding warranty claims on a regular basis. The reporting frequency may preferably be a function of the percentage of a participant's warranty cap that is currently being utilized One preferred embodiment of a reporting schedule is as follows: Position at beginning of Period (i.e., Daily) Reporting Frequency Less than 80% of Warranty Daily Cap 80-90% of Cap 4 hours Greater than 90% of Cap Real Time

Collateral Requirement Calculation and Daily Processing

[0127] As noted, in a preferred embodiment, root entity 110 imposes collateral requirements on each issuing participant 102 that may be used to pay claims for damages filed by relying customers if the issuing participant is unable or unwilling to satisfy such claims. Although the amount of required collateral need not be adequate to ensure full coverage of all outstanding warranties, the collateral amount is preferably adequate to materially increase the probability of a relying customer's recovery on a warranty claim in the event that an issuing participant is unable or unwilling to honor such a claim.

[0128] In a preferred embodiment, the total collateral amount posted by an issuing participant 102 is made up of two components: performance-based collateral and credit-based collateral. In a preferred embodiment, the performance-based collateral requirement for an issuing participant 102 may be calculated as follows:

Performance-Based Collateral Requirement=[Warranty Volume Outstanding * Operating Loss Factor]+[Aggregate Amount of Outstanding Unpaid Warranty Claims]

[0129] All system participants are preferably required to post performance-based collateral.

[0130] Credit-based collateral is collateral that an issuing participant chooses to post in order to increase its warranty cap. If a participant elects to post credit-based collateral, then it is preferably required to maintain the credit-based collateral until it changes its election and its warranty cap no longer includes the credit-based collateral.

[0131] An exemplary calculation of the required collateral amount for an issuing participant 102 is illustrated below. For purposes of this example, it is assumed that issuing participant 102 has $500 million in issued warranties, an operating loss factor of 0.6%, and outstanding warranty claims of $200,000. As such, issuing participant 102 must maintain in this preferred embodiment a minimum of $3.2 million in performance-based collateral for the benefit of relying customers in the event of default on a warranty claim. As further assumed in the example below, if issuing participant 102 wishes to post an additional $2 million in credit-based collateral to increase its warranty cap, then its total required collateral amount would be $5.2 million. Component $ (millions) (a) Outstanding Claims (100%) $.20 (b) Warranties Issued $500 (c) Operating Loss Rate 0.60% (d) Projected Claims Rate (b*c) $3.00 Performance-Based Collateral $3.20 (a + d) Credit-Based Collateral $2.00 Total Required Collateral $5.20

[0132] In a preferred embodiment, root entity 110 designates the types of collateral (called eligible collateral) that may be posted by participants in satisfaction of the collateral requirements described above. In one preferred embodiment, the only eligible collateral are U.S. dollars and direct obligations of the U.S. government (e.g., U.S. treasury securities). In other preferred embodiments, root entity 110 may establish additional types of eligible collateral.

[0133] In a preferred embodiment, each issuing participant selects its own collateral agent for purposes of administering collateral that it must post. Each issuing participant preferably establishes a collateral account with its collateral agent specifically for the collateral posted in satisfaction of these collateral requirements. Preferably, credit-based collateral is held in a separate account than performance-based collateral.

[0134] In a preferred embodiment, the collateral agent is subject to a contractual obligation under which it may be directed to pay a warranty claim from a participant's collateral account if that participant refuses to pay the claim. Payment may preferably be directed from both credit-based collateral and performance-based collateral to satisfy a claim.

[0135] In a preferred embodiment, root entity 110 updates each issuing participant's collateral requirements and monitors the participant for compliance with those requirements on a regular basis, preferably daily. A preferred updating and monitoring process is now described in connection with FIG. 9.

[0136] As shown in FIG. 9, in step 901, the collateral agent calculates a value for the collateral posted with it by issuing participant 102. In performing this calculation, the collateral agent preferably uses reliable pricing sources to obtain closing market prices of each security included in the collateral. In a preferred embodiment, the collateral value is calculated as the sum of the market values of each security included in the collateral multiplied by a haircut for that security preferably determined by root entity 110. Any collateral that is not eligible collateral is preferably assigned a market value of zero in this valuation.

[0137] In step 902, the collateral agent transmits the calculated collateral value to root entity 110. In step 903, root entity 110 calculates the issuing participant's required collateral amount.

[0138] In step 904, root entity 110 calculates a delivery amount or return amount for the issuing participant and notifies the issuing participant of its required collateral amount and this delivery amount or return amount. A delivery amount is the amount, if any, by which the required collateral amount exceeds the collateral value. A return amount is the amount, if any, by which the collateral value exceeds the required collateral amount.

[0139] If root entity 110 notifies the participant of a delivery amount, then, in step 905, the issuing participant must deliver eligible collateral with a collateral value at least equal to that delivery amount to its collateral agent. Failure to satisfy this requirement within one business day is grounds for suspension of the participant. Otherwise, if root entity 110 notifies the participant of a return amount, then, in step 906, the participant may elect to request the return of collateral with a collateral value no greater than the return amount from its collateral agent.

Warranty Manager Implementation

[0140] In a preferred embodiment, warranty manager 230 is implemented as a database application. If desired, warranty manager 230 may be designed as a true message processing application with a messaging queue 235 and other message processing capabilities as shown, for example in FIG. 10. Alternatively, warranty manager 230 may be designed as a function call processing application with no messaging support as shown in FIG. 11.

[0141] In a preferred embodiment, warranty manager 230 comprises a warranty manager API 240. API 240 is preferably established by root entity 110 and adapted to process all warranty messages exchanged between a warranty manager 230 and a transaction coordinator 202.

[0142] In a preferred embodiment, API 240 is adapted to handle extensible markup language (XML) warranty messages, although other warranty message formats may be supported. API 240 is preferably adapted to enable warranty manager 230 to accept an XML warranty message, parse the contents of the message, and generate a new XML message as output. In order to simplify message processing, warranty manager API 240 is preferably adapted to use a different function to process each of the warranty messages described below.

[0143] In a preferred embodiment, API 240 is implemented in C++. Alternatively, if implemented in Java, API 240 preferably follows the same class and method structure as the C++ implementation described below.

[0144] In a preferred embodiment, API 240 is implemented as a single inheritance C++ class derived from a generic CObject class with appropriate public methods. All API functions return a boolean value of TRUE if successful, otherwise they return FALSE.

[0145] In a preferred embodiment, API 240 is adapted to accept a parameter that sets the environment in which warranty manager 230 operates. The operating environment of warranty manager 230 preferably corresponds to the entity at which warranty manager 230 is implemented. Thus, for example, when initializing or communicating with warranty manager 230 _(R) at root entity 110, this parameter is preferably set to a first value and when initializing or communicating with a warranty manager 230 _(IP) at an issuing participant 102, this parameter is preferably set to a second value.

[0146] A preferred embodiment of API 240 is as follows:

[0147] An alternative embodiment for implementing the above-described messages and DTD is described in U.S. provisional application Ser. No. 60/ 259,796, filed Jan. 4, 2001, entitled Warranty Manager Application Programming Interface, Warranty Messaging Specification, and Warranty Manager Functional Requirements, which is hereby incorporated by reference.

[0148] While the invention has been described in conjunction with specific embodiments, it is evident that numerous alternatives, modifications, and variations will be apparent to those skilled in the art in light of the foregoing description. 

1. A method for providing warranties that warrant one or more facts associated with a digitally-signed electronic message, comprising: assigning a warranty cap to an entity that issues digital certificates; tracking a warranty volume for the entity; receiving a request for a warranty from a subscriber to whom the entity issued a digital certificate, the request for a warranty specifying a warranted amount and claim period; evaluating the request for a warranty to ensure that the warranted amount will not cause the entity's warranty volume to exceed the entity's warranty cap; transmitting a message that confirms issuance of the requested warranty, the message being digitally signed by a component maintained by the entity, the warranty comprising a contract between the entity and the subscriber, a relying party being a third-party beneficiary to the contract; receiving a validation request from the relying party, the validation request requesting validation of a digital certificate for the component that signed the message confirming issuance of the requested warranty; transmitting a validation response to the relying party. 